We continue with the presentation of the strategies of complying with the General Data Protection Regulation. The first part of the article is available here.
4. Setting the Terms for the Cooperation with the Third Parties
The provisions of GDPR are not applied exclusively to a company that processes personal data, but also to third parties with which the respective company cooperates or conducts exchanges of (user) information. Now it is the perfect opportunity for any company to revise all the third party contracts and make sure that
they are GDPR compliant. The third parties have to disclose their internal strategies regarding the processing and storage of the user data, so that there should be permanent transparency in respect of the circulation and transfer of personal information.
5. Respecting the “Right to be Forgotten”
Once the user ceases to use the services of an operator, or just at any time at the user’s request, the company has to make sure that they follow correctly the procedure of deleting the personal data. If there are no legal grounds to keep the personal information or refuse the deletion of the same, the company should answer the user’s request within 30 days. In practice, this presupposes that each enterprise should have the infrastructure and systems necessary to allow such processes.
6. Creating Separate Information Storage Systems
In line with the principle of correct organization of data, many companies have started to implement a centralized system to store all the user data, with separate applications that access only the necessary information. In practice, this would presuppose that the various applications/departments of the company (HR, Marketing, Sales, etc.) should process only a certain set of data, thus reducing the possibility of compromising or leaking data. This is a security protocol similar to the “token” system in online banking. Although initially this method might seem expensive, in the long run it will significantly reduce the potential costs and risks.
7. Efficient Measures to Avoid Sanctions
The consequences of not complying with the provisions of GDPR are extreme and may lead to actual bankruptcy in some severe cases. Fines can get up to EUR 20 million or 4% of the annual income, which is the highest. One of the most efficient methods of avoiding such drastic sanctions has to do with an organized data record keeping, notifying the relevant or supervisory authorities in respect of any breach, or impact analyses in case of non-compliance. In principle, all the above strategies may contribute to mitigating or eliminating the risks of leakage or improper handling of personal information and, implicitly, the risks of fines.